There are a growing number of virtual aware security technologies that promise to help you keep data moving between virtual machines safe. This video is intended to help you to evaluate the technologies and how best to integrate them into your existing network topology for a complete view of activity, vulnerabilities and remediation options. Key areas of emphasis include:

How virtualization technology is affecting security, and virtualization vendors' responses

Considerations for virtual firewalls and network segmentation

Tactics for using IDS/IPS with virtualization

Strengths and weaknesses of virtual vulnerability management

About the author:Dave Shackleford is director of risk and compliance and acting director of security assessments at Sword and Shield Enterprise Security Inc., and is a certified SANS instructor. He was formerly CSO at Configuresoft Inc. and CTO at the Center for Internet Security, and has worked as a security architect, analyst, and manager for several Fortune 500 companies. In addition to these roles, he has consulted with hundreds of organizations for regulatory compliance, as well as security and network architecture and engineering.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.

So, let's just set the backdrop today and take a look at what technologieswe've been used to accommodating within our infrastructure as it is.There's a huge variety of these. Obviously, everybody has their own idea ofwhat everyone needs, as far as security technology is concerned. But,generally, when I talk to people out in the world, and they talk aboutsecurity technology, most folks have firewalls.

Usually, there's some degree of gateway level anti-malware. If not at thegateway, typically around e-mail technology. Usually, everyone has anti-malware technology, at least at the host level. These are all falling intothat best practice category.

Finally, another category that really depends on the organization isvulnerability management and so we do tend to find more organizations today, atleast running some type of vulnerability scanners on a regular basis,trying to find those vulnerabilities and do something about them,obviously, before attackers do. So, this is really the general level ofcategorization we kind of call best practices.

For the host side, again, anti-malware is very common. Host-based firewallsor host-based intrusion detection or prevention are very commontechnologies. Depending on the organization and how it's implemented, sometype of configuration, or patch management. Again, these are the mostcommon technologies, both on the network side and on the host side, that wetend to see. So, that is the backdrop of the overall securitytechnologies.

Let's move on to our next slide and really ask the question, "How doesvirtualization affect those technologies?" So, it’s not enough to just havethem in place and hope that they're probably going to work as we expectthem to with the integration of a totally different paradigm foroperational technology today, which is virtualization.

We're taking an entirely different stack, we're adding a hypervisor layerin, we're accommodating multiple systems, obviously, virtualizing them ontop of one platform and things don't necessarily work exactly as they usedto in our traditional, physical environment. So we do have to take a lookand really ask ourselves, "Hey, how are we going to adapt? How are we goingto change or, at least, integrate technologies that have a better capacityfor understanding the differences and nuances that go along withvirtualization?" So, that's the question we are asking.

Sometimes, if we just try to use our, say, traditional intrusion detectionsystem, it can't see all the traffic that's within those virtualenvironments. Our firewalls, obviously, are intended to be controllingaccess on our physical networks. So, it may not be the case where we findour virtual systems are actually integrated into those kinds of securityparadigms like they used to. Host-based products, really the same kind ofthing so more of the network is what I was talking about a moment ago.

At the host level, now you're taking a system, and instead of being an actualphysical system, obviously, it's being abstracted down into a number offiles. Virtualization takes a virtual disk file and a virtual configurationfile, and a virtual snapshot file of the state of that system, as an example,in it's memory and uses that, with the concept of this hypervisor, toabstract the hardware so multiple systems can all operate simultaneously ontop of one physical platform.

Well, that certainly changes the way that technology, particularly securitytechnology, interprets things like signatures for anti-malware, as anexample, or the types of traffic or configuration parameters that are goingto be affecting and really in place on top of these systems. So, we really need to take a lookat what we've had in place traditionally and start taking a look at some ofthe technologies out there and how they're adapting to virtualization.Let's go ahead and do that.

A lot of virtualization vendors out there. Not just the virtualizationplatform vendors themselves, but also the security vendors and how they'restarting to integrate.

Starting off with the virtualization platform vendors, there's, obviously,a lot of them depending on the type of virtualization that you're doing.But we'll focus here more on the traditional virtualization or servervirtualization that most people are really starting off these projects with.Obviously, when you get down to nuts and bolts, you tend to find there'sonly a handful of them that most people are integrating. Microsoft is a bigone. They have their Hyper-V platform. Citrix is another. They've certainlyhad a variety of Xen technologies that are used for virtualization today.The biggest player out there, which most people know, is VMware.

The question, of course, is, "How responsive and proactive are thesevendors actually working with the security community and with the securityvendor community to ensure that they are integrating their technologiesinto these platforms?" The two that seem to have a lead here would beVMware and Citrix. And, certainly, VMware is ahead of the curve. They'vecreated their VMsafe program, specifically, to offer APIs to the securityvendor community for really seamless integration into their hypervisorplatforms. There's been mixed success, and that's not what we're going tofocus on today.

Citrix has kind of followed along and they've got their Citrix Readycertification with even online labs that people can do their testing in but they're not quite as mature or robust a program as VMware really has had in place for quite some time. These are the leading edge things we've seen so far, as far as effort is concerned, to integrate with security technology but there are a lot of vendors that are taking advantage of this. What we are going to focus on are all those traditional categories that we just discussed in security, so firewalls, things like intrusion detection and then how that's actually playing in to the virtualization environments. So, let's get going.

Solutions, planning; the things you need to think about before you gointegrating into your environment. You need to make sure that, hey, maybe,what you do have already, could work, depending on what it is, and how it'sbeen implemented. So, what I always tell people when they're starting to godown this road and really considering virtualization technologies orspecific technologies that are focused around security, I say, "Well, whatdo you have?"

The first thing to take a look at is maybe the firewalls that you'vealready got. Just to give an example, you may have CheckPoint firewalls andCheckPoint has made some big strides in trying to integrate intovirtualization environments. So you may already have some things in placethat you didn't realize might accommodate that virtualizationinfrastructure. More so than anything else, you may be looking at identicalproducts, but that are available for the virtualization environment or thatare ready to integrate into those virtualization environments.

Most of the time, when you go through your product evaluations, a lot ofthe things you are going to be looking at are going to be identical. Ifyou're looking at firewalls, you're going to be looking at port densityperhaps, although this is a little less applicable in virtual environments,you'll be looking at the speeds and capabilities as far as efficiency areconcerned, obviously, feature sets, in terms of the types of filtering youcan do. When it comes to virtualization, maybe there are a few differences,but by and large, you'll probably be looking at a similar checklist interms of functionality and really what you're hoping to get out of the product,regardless of how it's implemented. There are some additional points thoughand that's really what I am going to focus on.

Let's start off with virtual firewalls. I have, kind of, eluded to that.The reason for that is because it's led that market space. Mostorganizations have been aware of the fact that, "Hey, we could get avirtual firewall, if we wanted to. For, maybe, a year and a half two yearsnow, it's been a while." This is not a new market segment. It's stillevolving. It's one that, most people are starting to come to grips with andask themselves whether it's a need they really have, but if you've got atraditionally physical firewall infrastructure in place, there's a verygood chance, if you're rapidly virtualizing or a lot of your infrastructureis being virtualized right now, that you've got some gaps in terms of howthat physical firewall is going to work for you.

The reason for this is you're taking networks and collapsing them. Insteadof having very simple to identify network segments, VLANS that areidentified through specific physical ports across your switches, routers,firewalls and all that, now, in one physical system, you may have an entireinfrastructure. You've got multiple different segments, you've got multiplevirtual switches and you're going to have to be able to segment thatappropriately. Particularly, if you have compliance needs and other typesof regulatory concerns that actually mandate that.

A couple things to consider. First of all, just architecturally, dotraditional screen subnet approaches still work? You have to ask yourselfthis. Depending on how you're put together, in terms of your architecturetoday, it may or may not be something you can easily make a shift to. Ifyou've got a simple environment, and what I mean by that is that you've gotsome very clearly identified, say, DMZ zones where one of them has a veryparticular function, another has a very different specific function, butthey're easily identified and you don't have too many of them, this isprobably an easy shift for you. You can probably look at your virtualenvironments and kind of compare apples to apples.

In some cases, however, the complexity and interconnections between yourdifferent zones may be such that just easily taking what you have set upphysically and trying to port it over to a virtual side is not going to bethat simple. The other thing you have to ask yourself is simply just the physicalversus virtual question. Do I really need to have as much port density as Ihave?

Let's say for example, your physical firewalls today have 16 ports. Do Ineed the same number of ports when I look at a virtual system? Could Iarchitect it perhaps differently? When I am looking at the system that actually hasall of my virtualization infrastructure, let's say you're using somethingfrom Dell or HP just as your platform, you're limited in the number ofactual physical neck slots that you have and most of those you are probably going towant to allocate to your virtual machine production environment. If youhave to start carving some of those off and allocating them to yourfirewall, that may be a real serious choice you have to make from abusiness perspective.

Another thing that you really have to consider is whether or not your auditorswill count a virtual firewall as a legitimate means of segmenting yournetwork. A lot of auditors out there, that I've spoken with and I've seenactually engaging in compliance audits don't understand exactly how virtualfirewalls work. They're not real keen to say, "Hey, okay, that counts asthe same kind of thing." So, make sure you understand that, particularly,if you are looking at a virtual firewall for this specific purpose.

Then the last couple questions you are going to want to ask around virtualfirewalls and segmentation is, "Well, do our existing firewalls supportvirtualization?" Much like the CheckPoint example I gave a moment ago. Youalso need to think about who's managing this.

So, a big question, and one that I get a lot of blank stares when I ask people,is I go in the environment and I say, "Well, you've got a virtualizationteam or, perhaps, your systems administration team has taken overvirtualization, but within that virtual infrastructure you've got distinctnetwork components." It's fairly rare to find your, say, Windowsadministration team managing switches or managing firewalls but that's exactlywhat a lot of organizations inadvertently find that's going once they putsomething like a virtual firewall in because everything virtualization ishandled by this one team. You should really strongly consider the separation ofduties that you should have in place with different virtual components, particularly if you're adding in something like a virtual firewall. Sosomething to make sure that you can do if you are going down that road.

What I have got here on this slide is something taken from VMware and I'vecredited them, but it's a fairly simple slide to understand that shows alittle bit of a hybrid approach between a physical and a virtualinfrastructure in this regard. VMware has got some great literature outthere that explains how to think about segmenting the virtual versusphysical and heading down the road of more virtual, obviously. I amcertainly not endorsing them in any way. They just happened to have thisavailable and it made the point pretty well.

So what you see here is the use of traditional, physical systems, thingslike firewalls in place and still being leveraged just as they were beforeyou really started virtualizing. However, these are being used in conjunction withsome additional virtualization technology. And so this is an approach thata lot of enterprises are taking today, which is to use both for a while. Asthey are heading down the road of more and more virtualization, perhapsthey start thinking about phasing out some of their physical infrastructureand using more virtual. Today, typically what I find in matureorganizations that have been doing virtualization for a while is that they areusing both. That's really what is reflected here. There is both in placeand there's a happy medium that can exist for some time.

To give an example of some of the vendors in the space, and this isdefinitely not a comprehensive list, so please understand that, I justchose some that are fairly well known and have been out there for a while.Obviously, VMware has their own product. They've had this for some time andit's grown to be a little bit more mature in its latest phase, it's calledvShield Zones. You can get a number of different types of zones that youcan implement and you can do very simple kind of perimeter zoning much likeyou would with a traditional perimeter-based firewall. You can also do moreapplication inspection types of firewalls with their vShield app. Sothey've got kind of this range of things that you can put in place, but youcan actually get the base level of vShield Zones free within the productitself. So, they do give you some degree of virtual firewalling.

Many have found though that just this base level was not quite enoughcomparatively with what they're used to from a more robust firewallinfrastructure. There are a number of vendors that have much more robustproducts in this space. Altor Networks is one, they were recently acquiredby Juniper, which makes sense given that they are an infrastructure playerand they're certainly starting to expand into the virtualization environment. Altoris well known for, specifically, virtual firewall. They don't try to be allthings to all people. They make a very full featured, simple to use andimplement virtual firewall technology that's capable of being managedthrough a central console. Much like, again, you would an enterpriseenvironment with traditional firewalls.

Catbird is another company that makes a lot of virtual security products.They've got what they call their vSecurity or TrustZones virtual firewall.Very similar to what Altor had, obviously, a little different feature setand interface, and so forth. Reflex Systems has a product called vTrust and itallows you to do segmentation between different zones. Again, kind of thesame concept.

The last one on this list is a little bit different. I added it here simplybecause more people are familiar with it and I am actually seeing rapid adoption ofthis in larger enterprises. It's Cisco's Virtual Switch. One of thecomplaints early on with virtual technology was, "Hey, I just can't get asmuch functionality out of these basic, rudimentary virtual switches as Iwould with my traditional switch technology where I have a lot of granularcontrol over the access controls I apply at the port level, the differenttypes of virtual LANs or VLANs that are assigned, and so forth."

Well, you can do all of those things now with the Nexus 1000V Switch fromCisco. From a security perspective, the reason I have included this here isbecause many organizations are relying on things like SPAN or mere ports ontheir switches today to actually span traffic out and send them off to anintrusion detection system or something along those lines. Well, youcouldn't do that easily or readily with the pre-existing set of virtualswitches in most technology. Cisco's virtual switch entrance into thismarket gives you all those same capabilities, but, again, within thevirtual environment. So that's a very good thing for a lot of securityprofessionals.

Moving on. Another common thing that we see is virtual intrusion detectionand prevention. Early on when virtualization really started to grow, thiswas one of the most common questions I fielded is, "I can't see all thetraffic inside my virtual environment." One of the questions I would thenpose back to the people asking me this was, "Do you really need to? Do youreally need to see all that traffic?" because most of the time in ourenvironments today, we are not monitoring every bit of traffic between allthe systems in every subnet. You may not need to do that within the virtualenvironment either. There are a number of cases where you do though,particularly where you have a certain subnet that has, say, payment carddata or is subject to certain compliance regulations.

So, including virtual intrusion detection and prevention certainly is somethingyou want to be able to do and, again, it's a case where maybe your existingtechnology that’s primarily a physical system that's sitting in a racksomewhere doesn't have the capacity to easily integrate into thoseenvironments. So, the first question you'll ask is, "Well, can I monitor what Ineed to monitor today? Could I possibly send some of my virtual environmenttraffic out to my existing IDS or IPS and is that going to work for me?" Ifit does, as I always say, use what you've got. Try to leverage yourexisting technology to the best that you can. However, you may need tomonitor more in depth than that gives you the ability to do. If you reallyfind yourself struggling with your existing technology, you will probablywant to look into a virtual-ware IDS or IPS. There's definitely technologythat can help you there.

A number of vendors, and, again, the caveat that this is not an exhaustivelist, I am just giving representative examples. Sourcefire, very wellknown, obviously, because their founder, Marty Roesch, created Snort, whichis the best known open source IDS out there, but they've got a whole rangeof commercial products and their 3D system and they're absolutely at thetop of the game as far as integrating into virtual technology. They reallywanted to make sure that they were capable of doing that. They've got virtual 3Dsensors; they can tie back to an existing 3D infrastructure where you'vegot monitoring and all the other things that go along with a true IDS orIPS infrastructure.

TippingPoint, probably one of the best known names in intrusion prevention,now a part of HP. They absolutely have virtual tipping point sensors thatyou can include, so you can integrate right into, say, a VMware environmentjust as you would with a traditional physical system. IBM ISS, they have avirtual appliance. Their prevention line of IDS and IPS systems can beincorporated in.

Reflex Systems, again, has a very unique solution called theirVirtualization Management Center. It doesn't really do it credit byincluding it, just on this slide, because it's much, much more than an IDSor IPS, but it started off as an IDS/IPS and grew into a much more robustsecurity solution. But it has that functionality and can be integrated veryeasily into VMware environments.

There's plenty of other solutions out there. If you are not really lookingto incorporate another vendor product, there are plenty of readilyavailable, open source capabilities that you can get. You can find avirtualized Snort system or you could create your own. You could actuallycreate a virtual machine, run Snort on it, and then, obviously, set it upin promiscuous mode and do all those fun things, but you'll ask the samequestions you typically would as setting up traditional IDS or IPS.

The cost is a major factor. These are going to cost you. Probably not asmuch as a physical system would, obviously, but you're still going tospend quite a bit of money just investing in the technology and then theoperation and management of that, ongoing.

Ease of installation is a factor. Some of these are ready to go. You canactually just kind of, drop them down in as a virtual appliance into an existingenvironment. Some of them actually take a lot more installation, so it ismuch more software-based and the integration with those hypervisors may notbe as smooth as some of the others. So, you want to make sure you areconsidering that when you take a look at some of these vendors.

Obviously, everything else comes down to the traditional IDS/IPS questions, which arewhat's the quality of their signatures? What kind of behavioral analysiscan they do? What kind of alerting and reporting can they give me? Falsepositive reduction. How can they integrate into change control andintegration depth, and so forth? All the same kinds of things you would beasking, regardless of whether it was physical or virtual, but there are anumber of solutions out there.

Vulnerability management is another big category for security. So,obviously, we want to make sure that any of our virtual machines are assafe as any of the physical systems. The thing I always remind people is,"Hey, a virtual machine is still a machine." If you virtualize a WindowsOS, it has all the same problems that Windows OS may have, meaning you'vegot to keep up with patches, you've got to keep up with configurationdetails just as you would on a traditional physical system.

One of the problems that occurs often within virtualized environments issomething called virtual sprawl, which means I can create a virtual machinein seconds. It takes a lot more effort to install an OS and get it ready ona physical system, which means that people who have virtual environmentstend to proliferate virtual machines and sometimes it can get out of hand.You may have virtual machines hanging around all over the place thatnobody's really paying that much attention to and that's a problem because thosepatch cycles could get out of whack, you could ultimately haveconfiguration problems because nobody was actually tuning or adjustingthose systems if they were in test environments, the list goes on and on.Thus, the need for vulnerability management, particularly for our virtualenvironments.

Most of our existing tools can accommodate this fairly well. If you arerunning, say, Nessus Scanner, just as an example, you could incorporatevirtual machines that were live and online without too much of a hiccup. Youmight want to make sure you knew where those systems were because you don'twant to throttle them by scanning them. There are different performanceneeds, but if you've got existing scanning technology, pretty good chancethat it will probably be able to, at least, give you a rudimentary idea ofthe state of vulnerabilities on those virtual machines. So keep that inmind.

Sometimes, I've seen some cases where they don't detect hypervisor platforms verywell. For instance, if you are running an ESX platform or ESXi from VMware, wellyour virtual vulnerability management tools may not actually be able tofigure out what that is and so it will come back with some response and say,"Hey, I think this is a Linux system or I think this is some other system."Again, it just depends on the vendor and what solution you're using. You,again, may want to consider things like performance effects.

Keep in mind; in a virtualized environment you have maybe a hundred virtualmachines all sharing physical resources. So, they're sharing RAM, they'resharing disk space potentially, they're sharing CPU. So, if you startrunning these kinds of scanning tools, and throttling them perhaps, youcould actually have an effect on the entire environment, not just thosemachines. So, again, just something you want to be sure you're planning forand accommodating in your discussions around vulnerability management. So,lots of different deployment options.

Some of the scanners actually can be deployed as virtual appliances. Theycan be put right inside the virtual environment so they are right up close,right next to the virtual machines, giving you a much more granular lookdown in there, whereas, others may be physical appliances just as you wouldhave today or even software that just, gets installed. It really justdepends on what you are looking for. There's a very wide variety.

Here is an example of some of the vendors in the space and most of these namesare probably familiar to many of you. Tenable, probably the leader invulnerability management just having been around so long and so many peopleknow about Nessus, they absolutely have a virtual appliance for Nessus. Youcan implement this pretty easily into the virtualization environment veryquickly.

Rapid7, which is a newcomer in the space, they've been around for a fewyears now, but they're doing a lot of very interesting things, particularlywith their integration of the Metasploit project. Well, they have theirNeXposeVM virtual capabilities. So they're absolutely there as well.They're actually integrating very well into a lot of people's environments.So, this is another one that you might want to take a look at.

Qualys has support for scanning virtual systems, as does eEye Retina. Theydon't necessarily have standalone virtual appliances, but they absolutelycome out and say, "Hey, we support the scanning of virtual systems if youalready have our appliances or already have our tools in place." For manyof you that may be just fine. You don't want to have to go invest in newtechnology just to accommodate VMs.

Things you'll want to consider, cost, certainly is one. Trying to rip andreplace whatever you have just to get virtualization capabilities may notbe a good idea. Integration options, if you want to integrate it down intothe environment because you need to get down closer to those VMs, you'llwant to look at a vendor that can accommodate that. That's again a big factorwhen you are taking a look at these.

Configuration, scalability, performance, again, all the things that youwould look at traditionally around a vulnerability management solutiondoesn't really change when you get down into the virtual environment. Youjust want to make sure that it's going to meet your needs, whatever thoseare.

Anti-malware is a big one. Most people have been running anti-malwaresolutions for a long time. Again, as I referenced back at the beginning,kind of at the gateway we usually see this around, say, e-mail. We want tomake sure we are not getting e-mail viruses and things, but definitely atthe host. Almost all of us run some type of anti-malware solution on ourlaptops, on desktops, on our servers. Well, when you get into a virtualenvironment, there are some very interesting changes that occur.

First and foremost, because when you start scanning your entire system withtraditional anti-malware technologies, it has a huge significantperformance hit and most of us are well aware of this because we've beencomplaining about it for years. It just is what it is. However, thatchanges when you're inside a virtual environment because if you startscanning that environment and cause that performance spike, again, rememberwhat I just said, you've got shared infrastructure, which means that ahundred virtual machines are sharing memory and sharing CPU. If one of themjust happens to kick of an anti-virus scan and starts trying to suck up CPUor memory just to actually accommodate that scan, you could actually stealresources from other virtual machines causing slow down in the environmentor even, potentially, a denial of service or triggering VM migrations andthings you definitely don't want.

You have to plan very carefully around anti-malware solutions, particularlywhen you put them at the host level. So, if you are integrating this into avirtual machine, I've got a bunch of Windows virtual machines and I want tomake sure they're running anti-virus or whatever anti-malware technology,make sure you are looking at the vendor you have, and that they have theaccommodation for virtual environments. It's very important. Just about allof them do today. It's pretty rare to find an anti-malware solution thatdoesn't accommodate virtualization, but you'll just want to double checkbecause it really could have a significant impact on your environment.

When you get down into the host level, and what I mean by the host is thehypervisor platform itself. So, if you are running Microsoft as Hyper-V,you are running VMware ESX, or ESXi, Citrix XenServer, whatever the case,there's a very different level of support there for anti-malware. In fact,there's many in the community that don't feel that anti-malware is evenneeded on the host itself. Again, I'm not going to recommend that because Ithink you want to make sure you are covered and that will depend on yourrisk tolerance and your own environment. But for those of you who do feelthat you need, for instance, anti-malware on ESX, make sure that you gocheck with the vendor that you're looking at and that they do have fullsupport for it because it's a very, very different technology altogether.So, you want to make sure you've got the specific stuff that will workwithin that environment.

Giving a little example of architecture here, and this is a simple example,but just kind of illustrates what you might be thinking of. You are goingto have to ask the question, "Do I really want to have it on all my hostsor do I potentially want to have it on maybe just a gateway, virtualmachine?" So, if you think about a virtualization environment, again, we'vegot one physical platform and that acts as somewhat of a gateway to therest of the virtual machines that are sitting on it. Well, potentially, you couldimplement something like, a virtual anti-malware gateway where all of thetraffic coming through is somewhat filtered before it even talks to the VMsat all. Something you'll want to consider when you're really consideringall those resource constraints and whether you want to put it on all ofyour different VMs itself.

The other questions you'll have to ask, "Well, where do I put my managementserver? Is it going to sit within the virtual environment or am I going tosend all the traffic back out from the virtual anti-malware gateway to sometraditional console? What about access controls for the traffic in and out?Do I have to make a lot of virtual firewall changes just to accommodate thevirtual anti-malware technologies?" Even though anti-malware is something wealmost take for granted today, it's kind of a simplistic thing that we havegotten very accustomed to, it's one of the more complex decisions inside avirtual environment. Make sure you're really thinking this through when youare looking at different options. Definitely some vendors out there.

The names that you see on this slide should be familiar to just abouteveryone because they are probably the bigger leaders in the space. TrendMicro, McAfee, Symantec all have anti-malware solutions that will workwithin a virtual environment. Again, you can get different virtualappliances that will work just fine down within those environments. You canactually get an agent that sits on the virtual machines and works finewithin the virtual environments. There is a whole range of these. I won'tgo through all of them. You can go check out the vendors for yourself, butit should come as no surprise to you that they've adapted their technologyto work within these environments.

As another interesting aide, VMware does have an anti-malware, not quite asolution, but essentially a partner focused option with their vShield linethat sets up a separate virtual machine within the environment and thenintegrates with, say, Trend Micro or one of the other anti-malware vendors.And that virtual machine acts as all of the anti-malware processing. Itdoes all of it. Essentially what it does is offloads that resourceconstraint from each of the VMs that are your normal production VMs to thisone specific VM that does nothing but look at anti-malware options. So,something else to consider, again, if you want to take a look at VMware'soptions, they'll integrate with some of the partners out there, but it justgoes to show you that this is an evolving space and one that is taking adifferent look at the way we've traditionally done some of this.

Improving anti-malware with virtualization, maybe not so much. This is notsomething that most people consider, but it is something that you shouldask yourself, "Could I have a better option for doing my anti-malwareoperations just by doing it in a virtual fashion? Maybe I could." If I want amalware analysis or reverse engineering, virtual solutions are greatbecause you can revert them back to a known, clean state after doing theanalysis.

You can have; again, these localized anti-virus proxies where everything ispassing in and out. You could actually take your offline virtual machinesand scan them in an offline state to have maybe a more efficient type ofoperation than throttling them while they are online. So there are a lot ofnew considerations. It really just goes to show you this is an evolvingspace all together.

The last category is more operational in nature. Again, just getting intothe guts of things; configuration, inventory, patch management, a lot ofthe things we take for granted in most of our operational environmentstoday, but there's a lot of options out there for you. There's way to manyto cover in this discussion.

Inventory management, as I said, is critical because you don't want to endup having virtual sprawl. Keeping up with where those virtual machines areand what virtual machines you've got is paramount because, otherwise, youcould find yourself in a situation where you have unsafe or vulnerablesystems all over the place.

Configuration management can get a lot more complex because, obviously,virtual machines on VMware versus Citrix versus Microsoft, all totallydifferent. You want to make sure all the different parameters are beingconsidered in how they are getting locked down. Depending on the solutionyou've chosen to implement, there's a good chance that some sort oftemplate technology already exists. If you are using VMware as an example,you can use host profiles to give a snapshot of the underlying hypervisorhost and then clone that or replicate it. You can do the same things forthe virtual machines by using templates. This could actually help you inconfiguration management, to having much more strict regimen of keepingthings up to date and patching, and so forth.

Most of the patch management solutions out there are doing a good job ofkeeping up with virtualized environments. Again, if you are already usingone of the well known patch management vendors, then there's a good chancethat they've already gotten to the point where they support virtualization,but, again, make sure that you are checking into that.

Additional vendors and products, this is just to kind of follow up. There area lot of new things happening in this space. I'm kind of just givingexamples here, but what we've talked about is the more traditional types ofsecurity technology. But there's a lot more going on inside the virtualenvironment, especially, when you talk about cloud computing, and peoplethat are developing internal cloud environments, or shared servicesenvironments, you've got to ask yourself, "Well, hey, is it okay to havesensitive data on a virtual machine that's sitting right next to a virtualmachine without the sensitive data? How do I really protect myself from that? Howdo I assign policies to a virtual machine as it moves around within theenvironment and keep it with that virtual machine?"

So lots of new and different questions we have to ask in terms of thedifferent types of threats we are facing a lot of questions. There are newtechnologies out there that are starting to emerge. I've given two examplesof fairly innovative companies that are doing some interesting anddifferent things. I already talked about Reflex Systems and theirVirtualization Management Center.

HITRUST is another company that has, what they call, their HITRUSTappliance. What these do is give you much more holistic policy managementand overall threat detection, and so forth, within the entire virtualinfrastructure versus just one piece of it. Something to take a look at ifyou're really virtualizing rapidly.

To wrap up, something to keep in mind, make sure, first and foremost,you're looking at your existing vendors and seeing what they can do foryou. If you find that they are not able to actually keep up with whatyou're doing in terms of virtualization, you may need to look at some otheroptions, but the good news is there are plenty of options out there.

Thanks very much for joining me. I'm, again, Dave Shackleford, and we'llsee you next time.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy